Adding simple permission to routes

back/app/user/__init__.py

@@ -1,3 +1,3 @@
-from .routes import router as user_router, get_auth_router
-
+from .routes import router as user_router
+from .manager import get_auth_router
 from .models import User, AccessToken

back/app/user/manager.py

@@ -107,6 +107,7 @@ fastapi_users = FastAPIUsers[User, uuid.UUID](
 )
 
 get_current_user = fastapi_users.current_user(active=True)
+get_current_superuser = fastapi_users.current_user(active=True, superuser=True)
 
 
 def get_auth_router():

back/app/user/routes.py

@@ -7,15 +7,15 @@ from typing import List
 
 from .models import User
 from .schemas import UserRead, UserUpdate, UserCreate
-from .manager import get_user_manager, get_current_user, get_auth_router
+from .manager import get_user_manager, get_current_user, get_current_superuser
 
 
 router = APIRouter()
 
 
 @router.post("/", response_description="User added to the database")
-async def create(user: UserCreate, user_manager=Depends(get_user_manager)) -> dict:
-    await user_manager.create(user, safe=True)
+async def create(user_form: UserCreate, user_manager=Depends(get_user_manager), user=Depends(get_current_superuser)) -> dict:
+    await user_manager.create(user_form, safe=True)
     return {"message": "User added successfully"}
 
 
@@ -26,22 +26,22 @@ async def read_me(user=Depends(get_current_user)) -> UserRead:
 
 
 @router.get("/{id}", response_description="User record retrieved")
-async def read_id(id: PydanticObjectId) -> UserRead:
+async def read_id(id: PydanticObjectId, user=Depends(get_current_superuser)) -> UserRead:
     user = await User.get(id)
     return UserRead(**user.dict())
 
 
 @router.get("/", response_model=List[UserRead], response_description="User records retrieved")
-async def read_list() -> List[UserRead]:
+async def read_list(user=Depends(get_current_superuser)) -> List[UserRead]:
     users = await User.find_all().to_list()
     return users
 
 
 @router.put("/{id}", response_description="User record updated")
-async def update(id: PydanticObjectId, req: UserUpdate) -> UserRead:
-    req = {k: v for k, v in req.dict().items() if v is not None}
+async def update(id: PydanticObjectId, user_form: UserUpdate, user=Depends(get_current_superuser)) -> UserRead:
+    user_form = {k: v for k, v in user_form.dict().items() if v is not None}
     update_query = {"$set": {
-        field: value for field, value in req.items()
+        field: value for field, value in user_form.items()
     }}
 
     user = await User.get(id)
@@ -56,7 +56,7 @@ async def update(id: PydanticObjectId, req: UserUpdate) -> UserRead:
 
 
 @router.delete("/{id}", response_description="User record deleted from the database")
-async def delete(id: PydanticObjectId) -> dict:
+async def delete(id: PydanticObjectId, user=Depends(get_current_superuser)) -> dict:
     record = await User.get(id)
 
     if not record: